This repository has been archived by the owner on May 26, 2023. It is now read-only.
chaduke - Some funds might be stuck in the bank contract forever, and nobody can withdraw them #54
Comments
github-actions
bot
added
Duplicate
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
chaduke
medium
Some funds might be stuck in the bank contract forever, and nobody can withdraw them
Summary
Some funds might be stuck in the bank contract forever, and nobody can withdraw them.
Vulnerability Detail
We show below how some funds might be stuck in the bank contract forever.
BlueBerryBank.withdrawLend()is called, it will withdrawwAmountof the underlying tokens from the vault that corresponds toshareAmountof vault shares.https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/BlueBerryBank.sol#L669-L704
However, when
wAmount > pos.underlyingAmount, onlypos.underlyingAmountof underlying tokens will be sent back to the user (minus the fee), the remainingwAmount - pos.underlyingAmountunderlying tokens will be stuck in the bank contract.There are no functions that will allow an owner/admin to withdraw these locked funds, they are lost.
Impact
Some funds might be locked in the bank contract and thus lost forever.
Code Snippet
See above
Tool used
Remix, VScode
Manual Review
Recommendation
The
withdrawLend()function should send all these tokens back to the user.Duplicate of #109
The text was updated successfully, but these errors were encountered: